Brief Summary

SQL Wildcard Attacks are about forcing the underlying database to carry out CPU-intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of web applications. Successful exploitation of this attack will cause Denial of Service.

Black Box testing and example

Testing for SQL Wildcard Attacks:
Craft a query which will not return a result and includes several wildcards. You can use one of the example inputs below.
Send this data through the search feature of the application. If the application takes more time generating the result set than a usual search would take, it is vulnerable.

Longer queries will generally result in longer execution time. Craft the longest possible query allowed by the application.

Starting with % and ending with % will generally cause longer running queries.

Some search implementations may cache search results. During the testing, every search query should be slightly different to avoid this.

Performance is always about experimenting. Try different combinations to find the most expensive queries for that particular target system and data.

Gray Box testing and example

Testing for SQL Wildcard Attacks:

Query execution times can be observed in the database server, if certain queries take longer time it can be an indication of SQL wildcard attacks.

To test against application layer DoS attacks, it's important to watch HTTP logs and analyze response times. If the response times of certain pages in certain queries is longer than usual, those pages might be susceptible to SQL wildcard attacks.